APD/GBA (Belgium) - 29/2023

From GDPRhub
APD/GBA - 29/2023
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 25(1) GDPR
Article 25(2) GDPR
Article 32 GDPR
Article 33 GDPR
Article 34 GDPR
Article 60 GDPR
Type: Complaint
Outcome: Rejected
Started: 07.04.2021
Decided: 17.03.2023
Fine: n/a
Parties: Meta
National Case Number/Name: 29/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: APD/GBA (in NL)
Initial Contributor: ls

The Belgian DPA rejected several complaints against Meta following a data leakage, considering that it was bound by a previous Irish DPC's decision on that matter, even though the DPC decision focused on other GDPR provisions than the complaints.

English Summary[edit | edit source]

Facts[edit | edit source]

The controller in this case was Meta Platforms Technologies Ireland Limited (hereafter Meta).

Following a suspected data leakage concerning around 3,000,000 Belgian Facebook users, on 7 April 2021, the Belgian DPA called on Belgian citizens to check on the website https://benikerbij.be whether their data were part of the data leakage and if necessary to lodge a complaint with the DPA. Following this call, 1,113 complaints were lodged.

On 14 April 2021, the Irish DPC opened its “own volition inquiry” to determine whether Meta complied with its privacy obligations with the functionalities Facebook Search, Facebook Contact Importer, Messenger Contact and Instagram Contact. On 29 July 2021, the Irish DPC was notified of the existence of complaints regarding the events under investigation with the Belgian DPA.

In September 2022, under Article 60(3) GDPR, the DPC submitted a draft decision to various DPA’s, including the Belgian one who communicated their objections. In particular, in contrast to what the DPC had held, the Belgian DPA considered that data scraping should have been considered a data breach and that Meta had a duty to inform its users of the data leakage.

On 25 November 2022, the DPC adopted its final decision. Its investigation revealed that in the Facebook search tool, the default settings allowed all users to find each other's profiles via their phone numbers or email addresses (with a possibility to deactivate it manually). It therefore concluded that there was a strong risk that the phone numbers and email addresses would be scraped and linked to the identity of their owners. It also held that after the leakage, Meta did not implement adequate technical and organizational measures and failed to demonstrate that it had conducted a risk analysis.

Therefore, the DPC found a violation of Article 25(1), 25(2), 5(1)(b) and 5(1)(f) GDPR, ordered Meta to comply with the provisions and imposed a Є150,000,000 and a Є115,0000 fine respectively for the violations of Articles 25(1) and 25(2).

Holding[edit | edit source]

The complaints in Belgium were related to a possible violation of Articles 32 to 34 GDPR and the DPC decision focused on Article 25. The key question, according to the DPC, was not whether there was an unauthorized disclosure of personal data or some other form of data breach, but to what extent appropriate measures had been taken to ensure that the data protection principles were observed when implementing the choices of Meta users. For this reason, the DPC's investigation focused on Article 25. The Belgian DPA considered that the focus on Article 25 did not cause any prejudice to the complainants.

In the context of the cooperation procedure of Article 60 GDPR, the DPA considered to be bound by the DPC’s decision, which was exclusively competent. Therefore, it rejected the complaints in Belgium.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.